We'll respond shortly.
We’re working on a feature where a user can reply to emails. We want to trust the “From:” field to identify the user, but aren’t sure how to set everything up properly.
We’re using SendGrid’s “Parse API” to receive the emails, and it tells us that we get an spf ‘permerror’ when sending from pivotallabs.com, but not from regular gmail.com or hotmail.com. What gives?
SPF only authenticates the envelope domain, so headers can’t be trusted. DKIM has the option to auth specific headers, so you may be able to trust DKIM.